Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-token-revocation-sweep.md

1.3 KiB

Pattern: Token Revocation Sweep

Status: seed Readiness target: RL3 production Primary owners: NetKingdom, key-cape, flex-auth Genesis family: Detection and response

Problem

Credential compromise requires quickly invalidating related tokens, sessions, keys, leases, and grants across multiple systems.

Context

Use this pattern for user compromise, agent compromise, tenant incident, OpenBao lease revocation, object-storage session exposure, and SSH certificate containment.

Forces

  • Tokens may be issued by different systems.
  • Some credentials expire naturally but still need immediate revocation.
  • Revocation must target scope without disabling unrelated tenants.
  • Audit and evidence must survive the sweep.

Solution

Define revocation sweep procedures that identify affected actor, tenant, credential class, session, lease, key, and token families, then revoke or expire them through owning systems.

Verification

  • Sweep inputs can target actor, tenant, session, token class, and time window.
  • Revoked credentials fail at enforcement points.
  • Sweep actions are logged with reason and operator.
  • Follow-up rotation and user communication are tracked.
  • Short-lived Credentials.
  • Dynamic Secrets.
  • STS Credential Vending.
  • Incident Runbook Library.